Finally lets dump the 2k program area - this contains the firmware that the AVR runs:

+

Finally lets dump the 2k program area - this contains the firmware that the AVR runs. Due to the size of this I put it on another wiki page, you can find it [http://buffalo.nas-central.org/wiki/Information/HGAVR_Flash_Dump here].

=== Pin assignment for the HGAVR ===

=== Pin assignment for the HGAVR ===

Revision as of 16:38, 27 February 2011

This article was originally based on work by Frontalot at linkstationwiki.org and has since been largely re-written.

The Linkstation HG AVR

Hardware Information

Basic Information

The AVR in the HG Linkstation is an AT90S2313-4SC made by ATMEL, not Freescale as previously documented here. This is a cheap 4 MHz AVR with 2k program space and 128 EEPROM.

CN4 (next to the battery on the LS HG board) is a 6 pin ISP header that can be used to read/program the AVR with a cheap device such as a usbtiny that can be purchased as a kit/assembled from various hobby electronics websites. The cable supplied with the usbtiny has the same pin out and fits perfectly.

Hacking with avrdude

This is a basic walkthrough on analysing the AVR in the HG Linkstation with avrdude, dude. The following analysis was done entirely on OS X and will work the same in Linux.

Basic Testing

The following command tests connectivity to the AVR using a usbtiny connected to CN4:

This shows that avrdude can sucessfully connect to the AVR on the HG Linkstation, which means we can probably upload new firmware if we want to and extract the existing firmware that it shipped with originally.

Extracting AVR Information

So we want to know more information about our AVR. We could look in the datasheet for this information, but the part command in avrdude will tell us all we need to know to extract the firmware and anything else in the EEPROM. Typically I'll poke an AVR with an interactive avrdude session at this stage, here is how to start one with a usbtiny:

From the above information we can see the different memory types present in the AVR and their sizes - this means we can easily dump out the EEPROM (storage) and flash (program area) memory and see what is inside them.

EEPROM Dump

Lets dump the EEPROM and have a look inside - this memory area is typically used by an AVR for persistent storage:

Flash Dump

Finally lets dump the 2k program area - this contains the firmware that the AVR runs. Due to the size of this I put it on another wiki page, you can find it here.

Pin assignment for the HGAVR

NOTE THIS SECTION IS POSSIBLY WRONG AND NEEDS RE-WRITING - unless there is a different edition of the HG Linkstation that uses a different kind of MCU (the number of AVR pins in my HG is 20, can someone verify 28 on another?)

The pin assignment and its functions used in HG is listed in the following table:

PIN

SIGNAL

Description

PIN

SIGNAL

Description

1

ZIRQ

CN3.3

28

ZRST

CN3.4

2

PTA0

DIAG LED

27

PTA5

Power switch input

3

VSS

CN3.6 / CN3.9

26

PTD4

Fan pulse input for status checking

4

OSC1

CN3.1

25

PTD5

HRST (CN5.13)

5

OSC2

-

24

PTD2

Control 12V feed to the main switching power via TR5, TR3

6

PTA1

Disk full LED

23

PTA4

Reset switch input

7

VDD

CN3.2

22

PTD3

Fan speed control via TR2,TR1

8

PTA2

Power LED green

21

PTB0

CN3.5

9

PTA3

Power LED yellow

20

PTB1

CN3.10

10

PTB7

NC

19

PTD1

IDE reset / TRST (CN5.4 via R66)

11

PTB6

NC

18

PTB2

CN3.7

12

PTB5

NC

17

PTB3

CN3.8

13

RXD

Connects to /dev/ttyS1

16

PTD0

Flash reset (ZRP on IC8.12)

14

TXD

Connects to /dev/ttyS1

15

PTB4

NC

Software Information

Interaction With AVR In Linux

The AVR controls much of the LinkStation hardware, including the power button and LED indicator. It is controlled by the commands sent to /dev/ttyS1. To send commands to the AVR:

echo -n "commands" > /dev/ttyS1

Command

Action/Code

\30\30\30\30

Stops smbd and atalkd if /dev/hda3 is not mounted to /mnt. Sent by /www/script/melsub_diskcheck.sh.

[[[[

Starts slowly blinking power LED (sleep).

]]]]

High-speed cooling fan rotation.

\\\\

Low-speed cooling fan rotation.

>>>>

Unknown. Sent by ppc_uartd on boot.

AAAA

Unknown. Sent by ppc_uartd on boot.

CCCC

Sent by shutdown -r now (reboot).

EEEE

Sent by shutdown -h now (halt).

FFFF

Unknown. Sent by ppc_uartd on boot.

JJJJ

Unknown. Sent by ppc_uartd on boot.

KKKK

Unknown. Sent by ppc_uartd on boot.

QQQQ

Unknown. Sent by ppc_uartd on set timer.

RRRR

End of clear flash memory.

SSSS

Start of clear flash memory and /www/script/melsub_init.sh. Sent by /www/script/melsub_flash.sh.